Security question... how do the hackers get the usernames?

[csgo]

My server hasn't been hacked but I do see hundreds of brute force attacks per day. I find it interesting that if I add a user (example: user123) today I see attacks on that username within 24 hours. All are from IP Addresses in the Asia Pacific Network and I have zero customers in that network.

All attacks are via proftpd.

How do they discover the usernames? I am the only user with elevated authority on the server and I am certain my account is secure.

All users are added via DirectAdmin and have no special rights. There must be some kind of exploit that reveals usernames... this cannot be coincidence or random... all brute force attacks are valid usernames.

I'm on CentOS 6 with all updates. DirectAdmin 1.40.3 with all the latest updates.

Suggestions are welcomed.

Thanks,
-Joe

 

[zEitEr]

Hello,

Did you try to set a very random user name such as RrWccGydL?

The fact that you've got bruteforce attacks from Asia Pacific Network does not make big sense, or deal... as a hacker, who sniffs your traffic, might seat in your DC or your home/office network and have a botnet in Asia. That's Internet.

 

[nobaloney]

When I look at my brute force attack warnings I see they're always for well-known usernames (dictionary attack). Id strongly suggest you take Alex's advice and create a random username, not likely to be in a dictionary, and then do NOT send yourself an email notification that the user has been added (since emails travel the 'net in plaintext), or ever pass that username across the Internet for any reason or in any form. I believe you'll never see an attack on that username. Please let us know if I'm wrong.

Jeff

 

[csgo]

I can tell you with certainty it's not a dictionary attack. The brute force attacks are always on valid usernames. This is a new DirectAdmin server with only about 20 users. I have a Windows server right next to it and don't see the same kinds of attacks. If someone were sniffing packets on that subnet I'd think they'd hit both boxes. Email never leaves that subnet, but the Windows box hosts all the email.

I'm still worried about this.

 

[zEitEr]

I guess you need then do a security audit of your server by yourself or hire somebody (Jeff for example). And here I can suggest only trying to use maldet, rkhunter and manual grepping.

 

[nobaloney]

Thank you, Alex, for your vote of confidence.

@csgo: I would first take the steps I mentioned. Since no others have posted to this thread to respond I'm guessing that the problem isn't widespread, so I'd suggest it's more specific to your system than to any systemic problem with CentOS or DirectAdmin.

Jeff

 

[Anton]

Hey guys i am trying to get chkrootkit and rkhunter to function in cron but all i get is a server restart of some kind and i think it has to do with poorly setup cron.daily rkhunter.sh and chkrootkit.sh i only think that but if you would be so kind to tell me how you accomplished doing that and not getting blank emails ? and also maldet could you tell me how i can install that on my server

 

[zEitEr]

Hello,

First of all what type of a server do you have there: dedicated or VPS/VDS?
Secondly, did you read dmesg? /var/log/messages? In order to find possible clues?

Note, very often faulty hardware might cause kernel panic and the following reboots.

- How To install maldet
http://www.directadmin.com/forum/showthread.php?t=42393&p=216079#post216079

p.s. What are the blank emails?

 

[Anton]

Thank you very much zEitEr

I have no idea what could be causing the reboots ? i will have to invest in another new server soon